CCI-002890

Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

22 rules found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

2 rules found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

3 rules found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

3 rules found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

7 rules found Severity: Medium

17 rules found Severity: High

1 rule found Severity: High

2 rules found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

2 rules found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Low

2 rules found Severity: High

CCI-002890

Use Only FIPS 140-2 Validated Ciphers

Set kernel parameter 'crypto.fips_enabled' to 1

Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config

Operators of the A10 Networks ADC must not use the Telnet client built into the device.

The A10 Networks ADC must only allow the use of secure protocols that implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications for nonlocal maintenance sessions.

Arista Multilayer Switches used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

Applications used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

FIPS mode must be enabled on all Docker Engine - Enterprise nodes.

The FortiGate devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.

The HYCU server must use FIPS-validated algorithms for authentication to a cryptographic module and Keyed-Hash Message Authentication Code (HMAC) to protect the integrity and confidentiality of remote maintenance sessions.

The IBM DataPower Gateway must only allow the use of protocols that implement cryptographic mechanisms to protect the integrity and confidentiality of management communications.

Applications used for nonlocal maintenance sessions using the MQ Appliance WebGUI must implement cryptographic mechanisms to protect the confidentiality and integrity of nonlocal maintenance and diagnostic communications.

Nutanix AOS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.

The Symantec ProxySG must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.

The macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.

The macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.

The macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.

The macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.

The macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.

The macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.

The Ubuntu operating system must configure the SSH daemon to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms to protect the integrity of nonlocal maintenance and diagnostic communications.

The Arista network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.

The Ubuntu operating system must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

The Cisco ASA must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of non-local maintenance and diagnostic communications.

The Cisco switch must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.

The Cisco router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.

The Cisco ISE must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.

The Cisco ISE must verify the checksum value of any software download, including install files (ISO or OVA), patch files, and upgrade bundles.

The HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.

AIX must protect the confidentiality and integrity of transmitted information during preparation for transmission and maintain the confidentiality and integrity of information during reception and disable all non-encryption network access methods.

The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.

The Juniper EX switches must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.

FIPS mode must be enabled.

The Windows Remote Management (WinRM) client must not allow unencrypted traffic.

The Windows Remote Management (WinRM) service must not allow unencrypted traffic.

The network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.

ONTAP must be configured to implement cryptographic mechanisms using FIPS 140-2.

The Oracle Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.

The Riverbed NetProfiler must be configured to implement cryptographic mechanisms using a FIPS 140-2/140-3 validated algorithm to protect the confidentiality and integrity of all cryptographic functions.

SLEM 5 must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.

The TippingPoint TPS must have FIPS mode enforced.

TOSS must implement DoD-approved encryption in the OpenSSL package.

Install crypto-policies package

Configure System Cryptography Policy

NixOS must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.

The macOS system must limit SSHD to FIPS-compliant connections.

Applications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the integrity of non-local maintenance and diagnostic communications.

Ubuntu 22.04 LTS must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-3-approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

AlmaLinux OS 9 must have the crypto-policies package installed.

Container platform applications and Application Program Interfaces (API) used for nonlocal maintenance sessions must use FIPS-validated keyed-hash message authentication code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.

The Dell OS10 Switch must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.

AOS must use FIPS 140-2/140-3 approved algorithms for authentication to a cryptographic module.

The operating system must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.

The HYCU virtual appliance must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.

IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.

The Juniper router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.

IBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.

For nonlocal maintenance sessions using SNMP, the Juniper SRX Services Gateway must use and securely configure SNMPv3 with SHA256 or higher to protect the integrity of maintenance and diagnostic communications.

The Juniper SRX Services Gateway must securely configure SSHv2 FIPS 140-2/140-3 validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of maintenance and diagnostic communications for nonlocal maintenance sessions.

Mainframe Products must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

Remote Desktop Services must be configured with the client connection encryption set to the required level.

Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic.

Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic.

Windows Server 2022 Windows Remote Management (WinRM) client must not allow unencrypted traffic.

Windows Server 2022 Windows Remote Management (WinRM) service must not allow unencrypted traffic.

OpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography.

The Palo Alto Networks security platform must only allow the use of secure protocols that implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications for nonlocal maintenance sessions.

RHEL 9 must have the crypto-policies package installed.

RHEL 9 cryptographic policy must not be overridden.

RHEL 9 must implement a FIPS 140-3 compliant systemwide cryptographic policy.

The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections.

The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).

The Photon operating system must configure sshd to use approved encryption algorithms.

The Photon operating system must have the OpenSSL FIPS provider installed to protect the confidentiality of remote access sessions.